Skip to content

Commit aac053a

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent 88b9dab commit aac053a

File tree

1 file changed

+6
-2
lines changed

1 file changed

+6
-2
lines changed

advisories/github-reviewed/2025/04/GHSA-r5cr-xm48-97xp/GHSA-r5cr-xm48-97xp.json

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-r5cr-xm48-97xp",
4-
"modified": "2025-05-01T13:30:27Z",
4+
"modified": "2025-05-05T17:50:17Z",
55
"published": "2025-04-30T16:49:47Z",
66
"aliases": [
77
"CVE-2025-46554"
88
],
99
"summary": "XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API",
10-
"details": "### Impact\n\nAnyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki.\n\nTo reproduce:\n\n* remove view from guest on the whole wiki\n* logout\n* access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/attachments\n\nYou get a list of attachments, while the expected result should be an empty list.\n\n### Patches\n\nThis vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3.\n\n### Workarounds\n\nWe're not aware of any workaround except upgrading.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nIssue reported by Lukas Monert.",
10+
"details": "### Impact\n\nAnyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki.\n\nTo reproduce:\n\n* remove view from guest on the whole wiki\n* logout\n* access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments\n\nYou get a list of attachments, while the expected result should be an empty list.\n\n### Patches\n\nThis vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3.\n\n### Workarounds\n\nWe're not aware of any workaround except upgrading.\n\n### References\n* https://jira.xwiki.org/browse/XWIKI-22424\n* https://jira.xwiki.org/browse/XWIKI-22427\n* https://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e9342#diff-0\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nIssue reported by [Lukas Monert](https://github.com/LMonert).",
1111
"severity": [
1212
{
1313
"type": "CVSS_V3",
@@ -120,6 +120,10 @@
120120
{
121121
"type": "WEB",
122122
"url": "https://jira.xwiki.org/browse/XWIKI-22424"
123+
},
124+
{
125+
"type": "WEB",
126+
"url": "https://jira.xwiki.org/browse/XWIKI-22427"
123127
}
124128
],
125129
"database_specific": {

0 commit comments

Comments
 (0)